Drawing upon decades of experience, RAND provides research services, systematic analysis, and innovative thinking to a global clientele that includes government agencies, foundations, and private-sector firms.

The Pardee RAND Graduate School (PRGS.edu) is the largest public policy Ph.D. program in the nation and the only program based at an independent public policy research organization—the RAND Corporation.

Financial Frameworks for Cybersecurity Are Failing

The Security Operation Centre for Telstra, Australia's biggest telecoms firm, which is used to monitor, detect, and respond to security incidents, including cyber attacks, in Sydney, Australia, August 24, 2017

Effective cybersecurity can be attained by creating financial incentives for manufacturers to produce secure technologies, or from legal frameworks that protect users and set standards for vendors. This conclusion is the result of four role-playing exercises we conducted in the U.S. and Australia during the past two years with over 200 participants.

And our participants were nearly unanimous in agreeing that both models are failing: existing financial incentives for security are insufficient at best, and society has failed to create and implement a regulatory model for cybersecurity.

We conducted exercises with experts from governments, industry, academia, and related sectors. Participants described cybersecurity as the knitting together of federal, state, and local laws; international treaties and agreements; industry standards; financial incentives; and the behaviors of individual users and institutions. They responded to our exercises in ways that present cybersecurity as a team sport with all participants on the same field, but playing without clear rules, without a team approach, and without knowing when to pass the ball or to whom.

Finger pointing was a common response we found during our research. Individual users blame institutions for failing to secure their data. These institutions blame the government for not keeping them safe. The government blames technology companies for selling insecure products. And technology companies blame consumers for buying products that are cheap, therefore creating financial incentives for insecure devices.

In our exercises, U.S. federal government officials suggested that safety standards for cybersecurity—similar to standards for automobiles—would be too difficult to create for both political and practical reasons, and that such standards would be unable to keep pace with the natural evolution of technology.

Law enforcement officials complained that holding bad actors accountable is often outside of their reach when attacks cross international borders, when attacks cannot be attributed to specific actors beyond a reasonable doubt, or when state-sponsors are involved.

From the perspective of these government officials, it is the responsibility of the private sector to create secure devices and software. Industry representatives, meanwhile, said they must focus on creating products that users will buy. If users continue to buy the cheapest product—rather than the secure one—manufacturers will not invest in security features that would raise product costs. They cited examples of product lines where the cheapest—and insecure—product dominates the market.

Government and industry representatives did agree on one thing: users share the blame. The individuals and institutions who do not activate their security settings, who do not update patches regularly, and who buy the cheapest product rather than the secure product, make themselves and everyone else vulnerable.

Advocates for privacy rights, journalists, researchers of data breaches, and representatives from the insurance sector told us that users should not be expected to understand the complex vulnerabilities they face. Users are often legally handcuffed by the end-user license agreements of the very companies blaming their own customers for not understanding how to act securely.

Ignorance or indifference to security practices should not be a cybersecurity excuse in the 21st century.

One solution participants proposed is to improve cybersecurity literacy through public awareness campaigns and education. Ignorance or indifference to security practices should not be a cybersecurity excuse in the 21st century.

Other solutions could be implemented as part of a broader strategy, but only if everyone is ready to take responsibility for their own role. Industry and nongovernmental organizations could partner to create cybersecurity standards and a certification program. A seal of approval on a product should be easy to understand by individuals or enterprise buyers who may lack technical knowledge. Informing consumers of a product's security at the point of sale could create new financial incentives for manufacturers by providing consumers the opportunity to compare security ratings across similar products, similar to what EnergyStar provides for energy efficiency or JD Powers for automobile ratings.

Participants proposed the creation of a new public trust for technology; a nonprofit organization could be established to create patches for software whose developers have gone bankrupt. “Immortal vulnerabilities”—vulnerabilities that exist in perpetuity because no vendor maintains the code—could be eradicated with the creation of a new entity funded to address these vulnerabilities.

And, eventually, the law must catch up. Users are on the cusp of losing the ability to unplug when their basic needs—including the use of household appliances and medical devices—cannot be met without Internet connectivity and sharing of intimate user information. A users bill of rights could be established and liability laws could be updated for the modern era. The blame for cyber incidents is often assigned in the court of public opinion and sentences are doled out in the loss of public trust and market share; these effects do not improve security and often create incentives to conceal breaches.

When it comes to the failures of cybersecurity, we all need to take responsibility. Individual users and institutions are responsible for activating their product's security features, installing updates, and considering security at the point of purchase. Technology companies and federal and state governments could partner to create cybersecurity standards and make these standards easy to understand for consumers, just as they have for vehicle emission and safety standards. Schools could offer cybersecurity literacy just as they would offer health and safety classes for teens and young adults.

The collective good intentions of users, enterprise buyers, vendors, manufacturers, and government officials are insufficient if stakeholders fail to act or if they wait for other players to act. Cybersecurity is a team sport, and it will only be successful if everyone plays their position.

Cortney Weinbaum is a management scientist, Igor Mikolic-Torreira is a senior fellow and Don Snyder is a senior physical scientist at the nonprofit, nonpartisan RAND Corporation. This research was funded with grants from the William and Flora Hewlett Foundation.

Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.

The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest.